Hi all, my name is Carlos and I am the product manager for ClearPass @ Aruba Networks so hopefully I can clarify a few things for you.
Firstly, you dont need any guest licenses when you are authenticating against an external source eg. an AD, LDAP, SQL (or any of our supported authentication sources). This is also true in the case of SAML, if the identity store is external to ClearPass (which it will be given CP is a Service Provider and not an Identity Provider for the purposes of SAML), then there is no guest license requirements. Using our branded captive portals and skin technology is a base platform feature and included for every customer.
Secondly, registering a devices MAC address through our web portals and doing subsequent MAC auth to the network also does not require any guest licenses. So you can have a user login with their AD (or other external) credentials, capture the device MAC address and cache that for subsequent authentication all with the platform features out of the box.
The only time guest license are consumed is when you provision an account into the CP Guest database and that guest account is used to authenticate to the network. So you can actually create 1000s of guest accounts in the database, but if only 100 of those are being used per day, then you only need to support 100 Guest licenses.
Now one thing to also remember is that the AAA capacity of the box, and that is something independent to how the user/device authenticates (user/pword, TLS cert, MAC address, etc). The AAA capacity for our appliances is for 500, 5k or 25k unique endpoints and does support bursting to deal with peaks and exceptions.
I hope that clarifies a few things, feel free to reach out to me if you need any more clarification
carlos@aruba